CVE-2026-26083

Published May 12, 2026

Last updated 24 days ago

CVSS critical 9.8

Overview

Description: A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.
Source: psirt@fortinet.com
NVD status: Analyzed
Products: fortisandbox, fortisandbox_cloud, fortisandbox_paas

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

psirt@fortinet.com: CWE-862

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "0025C9C0-8D61-4563-96F9-F4E09DD83B26",
            "versionEndExcluding": "4.4.9",
            "versionStartIncluding": "4.4.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "42640C50-5490-4B50-840B-D35031671C42",
            "versionEndExcluding": "5.0.2",
            "versionStartIncluding": "5.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox_cloud:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "BB973322-626C-4821-882A-125DD5177251",
            "versionEndExcluding": "5.0.6",
            "versionStartIncluding": "5.0.2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox_cloud:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "7100CD0B-358B-4610-BB84-6E378571176D",
            "versionEndIncluding": "23.4.4374",
            "versionStartIncluding": "23.1.4245",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox_cloud:24.1.4436:*:*:*:*:*:*:*",
            "matchCriteriaId": "529FB46C-C0E5-43F5-A753-DD9E928FD4E6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox_paas:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "251F88A0-B42A-475B-80BA-1A6B53620EF8",
            "versionEndExcluding": "4.4.9",
            "versionStartIncluding": "4.4.5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox_paas:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "704EB14E-435A-4AC6-9FBC-C8A926BA22F0",
            "versionEndExcluding": "5.0.2",
            "versionStartIncluding": "5.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:fortinet:fortisandbox_paas:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "594E2353-2D20-400E-B9EA-7A08A49104B3",
            "versionEndIncluding": "23.4.4374",
            "versionStartIncluding": "21.3.4055",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References